External risk intelligence

Nur-Alam39 bus-ticket bus_info.php SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-55740

A critical SQL injection vulnerability in a bus ticketing application allows unauthenticated attackers to execute arbitrary SQL commands and access sensitive database data. The flaw, located in bus_info.php, stems from unsanitized input, and the application's use of the MySQL root account with an empty password amplifi

SQL Injection

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability exists in a web application component designed to handle HTTP POST requests for bus information. As a web-based service managing ticket information, such applications are commonly deployed as internet-facing services intended for public access.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in a bus ticketing application, specifically in how it handles bus information requests. This flaw allows unauthenticated attackers to potentially access sensitive data from the application's database. The application's database connection is configured with elevated privileges, increasing the potential impact of a successful exploit.

  • Unauthenticated attackers can access sensitive data.
  • Critical flaw in bus ticket software requires attention.
  • Confirm relevance and potential exposure to business data.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted HTTP POST request to the bus_info.php endpoint. This request targets the `busid` parameter, which is directly incorporated into a database query without proper security measures. By manipulating this parameter, an attacker can inject malicious SQL code. This allows them to access and retrieve sensitive data from the database, potentially including all information within the bus_service database, due to the application using the highly privileged MySQL root account with an empty password.

  • No authentication required.
  • Inject malicious SQL via `busid` parameter.
  • Read sensitive database information.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated attacker could inject arbitrary SQL commands into the bus\_info.php script by manipulating the `busid` parameter. This could allow them to read any data from the `bus_service` database when supported by the advisory.

  • Database data could be exposed.
  • Via crafted HTTP POST requests.
  • Unauthorized data access.

Operational Fix

Recommended remediation, mitigation, and detection steps

This SQL injection vulnerability in `bus_info.php` is likely to be owned by the application team responsible for the bus-ticket system, with support from infrastructure and database administrators given the use of the MySQL root account. The first practical step is to identify all instances of this application, confirm their reachability and criticality, and then engage the application owner to plan remediation, potentially involving vendor coordination if the code is part of a third-party solution.

  • Application owners should own the issue.
  • Verify application reachability and criticality.
  • Plan remediation with vendor if applicable.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-55740 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This SQL injection vulnerability can lead to automatic failure in PCI ASV scans due to its exploitability and potential to access sensitive data.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the Nur-Alam39 bus-ticket software?

Nur-Alam39 bus-ticket is an open-source web application designed to manage bus transit information and ticketing services. It typically functions as a backend system where users or administrators interact with bus schedules and booking data stored in a central MySQL database.

How does CVE-2026-55740 work?

This vulnerability is an SQL injection, classified as CWE-89. It occurs because the application takes user input from the busid parameter and inserts it directly into a database command without any security checks. This weakness allows an attacker to alter the intended database query to retrieve unauthorized information.

Do I need to be logged in to trigger this bug?

No, authentication is not required. An attacker can trigger the vulnerability by sending a specifically crafted HTTP POST request containing malicious data in the busid field. Because the system does not validate this input, the flaw can be reached by anyone with network access to the server, regardless of their user status.

Is my deployment at risk according to Halo Surface Signal?

Halo Surface Signal notes that this application is typically deployed as an internet-facing service to allow public access to ticket information. Because it is designed to be accessible over the web, the risk is higher for any instance exposed to the public internet compared to one restricted to an internal network.

What are the first steps to address this CVE?

You should immediately locate all running instances of the bus-ticket application within your environment. Once identified, evaluate if these services are exposed to the internet. Coordinate with the application owners to limit access or remove the vulnerable component until security updates or code-level fixes can be applied to sanitize database inputs.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished